CVE-2024-6914, published on May 22, 2025, represents a severe threat to organizations using WSO2’s enterprise software suite, with security researchers assigning it a maximum CVSS score of 9.8.
The vulnerability stems from an incorrect authorization flaw in the account recovery SOAP admin service, enabling malicious actors to bypass authentication mechanisms and gain unauthorized access to user accounts, including those with elevated administrative privileges.
The vulnerability exploits a business logic flaw within WSO2’s account recovery-related SOAP admin service, specifically targeting endpoints exposed through the /services context path.
This incorrect authorization vulnerability, classified under CWE-863 (Incorrect Authorization), allows remote attackers to execute password reset operations without proper authentication or authorization checks.
The attack vector requires no user interaction and can be executed remotely over the network, making it particularly dangerous for organizations with publicly accessible WSO2 deployments.
According to the official security advisory, the vulnerability affects the core authentication mechanisms of WSO2 products.
When exploited successfully, attackers can take control of targeted accounts, including administrative users, thereby posing significant security risks to the entire infrastructure.
The Zero Day Initiative has documented this as an “Exposed Dangerous Function Authentication Bypass Vulnerability,” highlighting how the flaw results from the exposure of dangerous functions within the user self-registration process.
| Risk Factors | Details |
| Affected Products | – WSO2 API Manager 2.2.0 to 4.3.0- WSO2 Identity Server 5.3.0 to 7.0.0- WSO2 Identity Server as Key Manager 5.3.0 to 5.10.0- WSO2 Open Banking AM/IAM/KM 1.3.0 to 2.0.0 |
| Impact | Full account takeover |
| Exploit Prerequisites | – Exposure of /services SOAP admin endpoints to untrusted networks- Lack of network segmentation per WSO2’s Security Guidelines for Production Deployment |
| CVSS 3.1 Score | 9.8 (Critical) |
The vulnerability impacts a wide range of WSO2 products across multiple versions. Affected systems include WSO2 API Manager versions 4.3.0 through 2.2.0, WSO2 Identity Server versions 7.0.0 through 5.3.0, WSO2 Identity Server as Key Manager, and various WSO2 Open Banking products.
The comprehensive scope of affected products underscores the severity of this security issue, as these enterprise-grade solutions are widely deployed in production environments worldwide.
The attack mechanism leverages the SOAP admin services framework, which handles account recovery operations. Attackers can craft malicious requests to the /services endpoint to trigger unauthorized password reset functionality.
The vulnerability’s exploitability is enhanced by its network-accessible nature, with the CVSS vector string indicating that it can be exploited over the network with low attack complexity and requires no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Organizations using affected WSO2 products should immediately implement security measures to mitigate this critical vulnerability.
The primary recommendation involves following WSO2’s “Security Guidelines for Production Deployment” to restrict access to SOAP admin services from untrusted networks.
When these guidelines are properly implemented, the CVSS score reduces from 9.8 to 8.8, though the risk remains high.
Immediate mitigation steps include disabling public exposure of the /services context path, implementing network-level access controls to restrict SOAP admin service access to trusted networks only, and monitoring for unauthorized password reset attempts.
System administrators should also review and tighten authorization mechanisms across their WSO2 deployments and consider implementing additional authentication layers for administrative functions.
WSO2 has released security patches addressing this vulnerability, and organizations are strongly advised to apply these updates immediately.
The availability of proof-of-concept exploit code and the vulnerability’s inclusion in various threat intelligence feeds indicate active interest from the security research community, potentially increasing exploitation risk for unpatched systems.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The post Critical WSO2 SOAP Vulnerability Let Attackers Reset Password for Any User Account appeared first on Cyber Security News.
If you're looking for a high-capacity power bank to extend your Nintendo Switch 2 or…
Pokémon Pokopia comes out on Thursday, and if you preorder it from Best Buy, you…
Nowadays it's quite difficult to find an RTX 5070 Ti prebuilt for under $2,000, but…
Bungie has outlined what to expect from Marathon upon launch, and confirmed plans for seasonal…
At what point during triage does your team actually feel confident enough to make a decision? For many…
Cybercriminals have unleashed Starkiller, a sophisticated “phishing-as-a-service” tool that tricks users by serving genuine login…
This website uses cookies.